On Tue, Dec 07, 2004 at 11:51:56PM -0600, Mike Miller wrote: > Can you explain this further? I have the impression (or misimpression) > that allowing root login is dangerous because if a vulnerability in sshd > allows login without a password, an attacker can then login as root. There has never been such an exploit to my knowledge, and the likelyness of one is pretty low. You're more likely to run into a buffer overflow that grants the exploit code the privs of sshd (root) > If > root login is not allowed, they must guess a username, and if that works > for them, they still won't have root permissions. No, just bin, daemon, apache, <mail userid>, etc. > Anything that postpones > a successful attack during the time between discovery of the exploit and > application of the patch will be helpful. Is this way of thinking all > wrong? I am happy to be corrected because I am not a computer expert. This is like keeping your valuables in your basement, in the off chance that an airplane happens to crash into the second floor of your house. If you really want to secure your system: 1) stop using passwords entirely (use RSA/DSA keys) 2) filter ssh access to only known hosts (where possible) 3) Disable protocol 1 backwards compatibility 4) Disable authentication methods that you do not use, kerberos, rhosts, etc. 5) keep your sshd up to date > > Mike -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list